Just checked wpad.sk. According to who.is domain has been updated recently. One of listed organizations is ptstrustee.com, which is specializing in hiding real identity of real domain owners.
As expected they're serving http://wpad.sk/wpad.dat. In that file there is reference to WPADblock.com project. But not sure if it's legit. Also in wpad.dat there are some regexps. If conditions are met it sets proxy-server to their server.
For me it's strange. Does anybody have experience from other tlds?
Is that perhaps a standard proxy autoconfig setup that just happens to be distributed by a domain named for the configuration format (rather than a malicious proxy exploiting tld fallback)?
Rendering JavaScript and other bad things that are apparently still embargoed in the context of an HTTP 407 with WPAD/PAC being one vector to get in the middle:
Heh, WPAD from a local network webserver was how I used to ad-block ~10 years ago. It was easy to make and set up, helped with ad-blocking in both browsers and hosted web views like game launchers, and allowed always proxying some sites through a SOCKS5 proxy.
IE never sent the full URL to FindProxyForURL, and around 2017-02 Chrome followed suit, so I had to migrate it to a Chrome extension. I still have the wpad.dat configured on the network in case something still reads it.
Yep, WPAD is extremely useful and it's just JavaScript with some extra functions [0]!
I've also used it to send *.company.com requests via local proxy to their servers and the rest via direct connections basically emulating split DNS without sending all traffic through their VPN.
Transparent proxies break horribly when you need to deal with HTTPS, and I’m not talking about “oh, you need to install the CA” because that’s necessary for a configured proxy as well.
Chrome in particular breaks on any Google domain because they pin keys as a security measure, when using WPAD or manual system proxy settings it will happily connect.
And before someone says “don’t intercept SSL”, I’ve got Sophos XG deployed on my home network to do content filtering to keep my five year old from accidentally pulling up things she shouldn’t online - she’s not at an age where she gets unsupervised access to the computer, she can’t type (or spell sometimes) properly, etc. but it lets me pull open Leapfrog Academy for her and know if she somehow managed to go to elsewhere by accident the chance of her running into age-inappropriate content is minimal.
I missed that! I didn't read the whole thing, it was too long and the article ends with things that do not work and somehow I presumed there's nothing that works, then.
As expected they're serving http://wpad.sk/wpad.dat. In that file there is reference to WPADblock.com project. But not sure if it's legit. Also in wpad.dat there are some regexps. If conditions are met it sets proxy-server to their server.
For me it's strange. Does anybody have experience from other tlds?